CVE-2026-24054 HIGH

CVE-2026-24054: Kata Containers Runtime: Host block device can be hotplugged to the VM if the container image is malformed or contains no layers

Vendor Kata-Containers
Product kata-containers
Weakness CWE-754
Published January 29, 2026
Last update January 29, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:P

What the vulnerability does

01Description

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue.

Key dates

02Disclosure timeline

January 29, 2026 CVE published
January 29, 2026 Record updated